tartinerlabs/github-actions
skills/github-actions/SKILL.md
Use when adding CI/CD, creating workflows, auditing GitHub Actions, or fixing action pinning. Creates and audits workflows for SHA pinning and permissions.
$ install --global
skillsauthnpx skillsauth add tartinerlabs/skills github-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 18, 2026, 4:45 AM169.6s8 files scanned
SKILL.md
- name:
- github-actions
- description:
- Use when adding CI/CD, creating workflows, auditing GitHub Actions, or fixing action pinning. Creates and audits workflows for SHA pinning and permissions.
- allowed-tools:
- Read Glob Grep Edit Write Bash(gh:*)
- model:
- sonnet
- effort:
- high
- context:
- fork
- agent:
- general-purpose
Mode Detection
Determine the mode based on context:
- Create mode: No
.github/workflows/directory exists, or user explicitly asks to create/add a workflow - Audit mode:
.github/workflows/*.ymlfiles exist, or user explicitly asks to audit/review/fix workflows
Create Mode
1. Detect Project Type
Scan for project indicators:
package.json→ Node.js/JS/TSgo.mod→ Gorequirements.txt/pyproject.toml/setup.py→ PythonCargo.toml→ RustGemfile→ Ruby
2. Detect Package Manager (JS/TS projects)
pnpm-lock.yaml→ pnpmbun.lock/bun.lockb→ bunyarn.lock→ yarnpackage-lock.json→ npm
3. Generate Workflow
Apply all rules from the rules/ directory when generating workflows. Read each rule file for detailed requirements and examples.
4. Workflow Template
Adapt this CI template to the detected project type and package manager (replace <pm> with the detected package manager):
name: CI
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
ci:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: '<pm>'
- run: <pm> install --frozen-lockfile
- run: <pm> check
- run: <pm> test
- run: <pm> build
Audit Mode
1. Scan Workflows
Read all files in .github/workflows/*.yml and audit against every rule in the rules/ directory.
2. Report Format
## GitHub Actions Audit Results
### HIGH Severity
- `.github/workflows/ci.yml:15` - `codecov/codecov-action@v4` → pin to commit SHA
### MEDIUM Severity
- `.github/workflows/ci.yml` - Missing concurrency group → add concurrency block
### Summary
- High: X
- Medium: Y
- Low: Z
- Files scanned: N
3. Auto-Fix
After reporting, apply fixes. Look up commit SHAs for pinning using gh api.
Rules
Read individual rule files for detailed checks and examples:
| Rule | Severity | File |
|------|----------|------|
| Action pinning | HIGH | rules/action-pinning.md |
| Permissions | HIGH | rules/permissions.md |
| Concurrency | MEDIUM | rules/concurrency.md |
| Node version | MEDIUM | rules/node-version.md |
| Caching | MEDIUM | rules/caching.md |
| Triggers | LOW | rules/triggers.md |
| Matrix strategy | LOW | rules/matrix.md |
Assumptions
- GitHub CLI (
gh) is available for looking up action commit SHAs - The project is hosted on GitHub
Related Skills
tartinerlabs/setup
development
VerifiedTrustedCommunity
Use when setting up a project, adding linting, formatting, git hooks, or TypeScript. Installs Biome, Husky, commitlint, lint-staged, and GitLeaks for JS/TS.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/security
testing
VerifiedTrustedCommunity
Use when auditing security, checking for vulnerabilities, scanning for secrets, or reviewing dependencies. OWASP Top 10 audit with GitLeaks and dependency checks.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/refactor
development
VerifiedTrustedCommunity
Use when refactoring, cleaning up code, reducing complexity, fixing code smells, or improving code quality. Audits TS/JS for dead code, nesting, and patterns.
7SKILL.mdUpdated Apr 15, 2026
tartinerlabs/deps
testing
VerifiedTrustedCommunity
Use when hardening npm supply chain, pinning dependency versions, adding .npmrc security flags, or setting up Renovate and audit workflows. Locks down install-time scripts, registries, version ranges, and CI checks.
7SKILL.mdUpdated Apr 15, 2026